Data Security Compliance: Essentials Only

With cyber threats constantly evolving, new compliance regulations are being proposed and enacted around data protection and data privacy. Staying compliant is never an easy task. However, the idea that data protection and compliance must be a core part of all business practices makes a good sense in the end. After all, the goal of data security compliance regulations is to help companies achieve integrity, security and availability of information systems and sensitive data. They provide a set of rules and guidelines that help organizations protect their systems and data from security risks.

Any organization that provides financial products or services to customers

Nonpublic personal information (NPI)

Personally identifiable information

Ensure the secure collection, disclosure and protection of consumers’ NPI and PII

Clearly explain to consumers what data is collected about them, where it is shared, how it is used and how it is protected

Develop a written information security plan to protect customers’ NPI and PII

$100,000 fine per violation for the organization

$10,000 fine per violation or up to

5 years in prison for personally liable officers

General Data Protection Regulation (GDPR)

All organizations that process the personal data of EU residents

Personal data of EU residents

Process personal data in a manner that ensures its security, including protecting against unauthorized or unlawful processing and accidental loss, destruction or damage

Fines of up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher

How best-practice standards and frameworks can help you achieve and maintain compliance

In order to improve data security and ensure regulatory compliance, organizations often align their security programs with established frameworks developed based on industry best practices, academic research, training and education, internal experience, and other materials. These frameworks offer repeatable procedures that have proven themselves over time in a large number of organizations. Organizations are free to choose the framework that best suits their needs, or to not use one at all.

Here are some of the most popular frameworks:

NIST SP 800-53. This framework establishes security standards and guidelines for government agencies and federal information systems. In particular, it fully supports FIPS 200 — a security standard that companies need to implement in order to achieve FISMA compliance. Because it provides general best practices, the NIST framework is also widely used in the private sector.

NIST Cybersecurity Framework. This framework provides standards, guidelines and best practices to help organizations manage cybersecurity risks. HIPAA-covered companies can use the crosswalk map between the HIPAA Security Rule and the NIST Cybersecurity Framework to improve information security and better safeguard ePHI by filling in the gaps in companies’ cybersecurity posture.

ISO 27000 series. These standards for IT security help organizations safeguard financial information, employees’ personal data, intellectual property and other critical assets. In particular, ISO 27001 is an international standard for the establishment, implementation, maintenance and continuous improvement of an information security management system (ISMS); it provides practical details on how to develop clear, comprehensive policies to minimize security risks.

BS 10012. This framework is aligned to the data security requirements of the GDPR. It covers a massive amount of ground concerning data privacy, although like many frameworks and standards, it is not a complete model for GDPR compliance.

When there is no framework that fully supports a certain regulation, organizations often use a combination of frameworks and controls to meet their compliance requirements and business needs. In fact, the process of ensuring and demonstrating compliance often involves comparing required controls to established security measures in order to identify and remediate any gaps.

Five tips for complying with data security regulations

No matter which framework, if any, you choose to adopt, the following five tips will help you on your journey to regulatory compliance:

Understand what data you have. Depending on the compliance regulations they are subject to, organizations might need to protect cardholder information (PCI DSS), health records (HIPAA), PII of EU residents (GDPR) or other data. Data discovery and classification tools can help you locate regulated data so you can ensure it is protected by appropriate security controls and is trackable and searchable as required.

Conduct regular risk assessments.Regular risk assessment is a central mandate of many compliance regulations. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.

Develop a clear plan. Most regulations require a combination of administrative, physical and technical measures, such as policies and procedures, employee training, and IT controls. Managing all of that effectively requires a clear plan. Use existing checklists to see where your company stands and consider using a standard framework as a starting point for designing a data protection policy.

Do extra reading. Many resources are available to make regulations more understandable. For example, this comprehensive guide developed by the UK’s Information Commissioner’s Office (ICO) answers the most common questions about GDPR compliance.

Get advice. If you have more questions than answers and your company doesn’t have an internal compliance officer, consider engaging external advisors who have expertise with the specific regulations your organization is subject to. Professional advice can help you adjust your information security program faster and more effectively, saving you money in the long run.